From c83d80de36c3786b4c77183fb82a7434c3399b0c Mon Sep 17 00:00:00 2001 From: Mike Hall Date: Tue, 8 Aug 2000 22:16:42 +0000 Subject: [PATCH] Added wiretap support to read the Cisco Secure Intrusion Detection System IPLog format. svn path=/trunk/; revision=2231 --- wiretap/Makefile.am | 4 +- wiretap/Makefile.nmake | 3 +- wiretap/csids.c | 254 +++++++++++++++++++++++++++++++++++++++++ wiretap/csids.h | 24 ++++ wiretap/file.c | 8 +- wiretap/wtap-int.h | 6 +- wiretap/wtap.h | 5 +- 7 files changed, 298 insertions(+), 6 deletions(-) create mode 100644 wiretap/csids.c create mode 100644 wiretap/csids.h diff --git a/wiretap/Makefile.am b/wiretap/Makefile.am index 3881206dc1..cf67069949 100644 --- a/wiretap/Makefile.am +++ b/wiretap/Makefile.am @@ -1,7 +1,7 @@ # Makefile.am # Automake file for Wiretap # -# $Id: Makefile.am,v 1.29 2000/07/26 08:03:57 guy Exp $ +# $Id: Makefile.am,v 1.30 2000/08/08 22:16:41 mhall Exp $ # # Ethereal - Network traffic analyzer # By Gerald Combs @@ -40,6 +40,8 @@ libwiretap_a_SOURCES = \ ascend-int.h \ buffer.c \ buffer.h \ + csids.c \ + csids.h \ file.c \ file_wrappers.c \ file_wrappers.h \ diff --git a/wiretap/Makefile.nmake b/wiretap/Makefile.nmake index 012d814b57..b2f6c5944f 100644 --- a/wiretap/Makefile.nmake +++ b/wiretap/Makefile.nmake @@ -1,5 +1,5 @@ # -# $Id: Makefile.nmake,v 1.13 2000/05/29 20:11:31 guy Exp $ +# $Id: Makefile.nmake,v 1.14 2000/08/08 22:16:41 mhall Exp $ # include ..\config.nmake @@ -15,6 +15,7 @@ OBJECTS=ascend-grammar.obj \ ascend-scanner.obj \ ascend.obj \ buffer.obj \ + csids.obj \ file.obj \ file_wrappers.obj \ i4btrace.obj \ diff --git a/wiretap/csids.c b/wiretap/csids.c new file mode 100644 index 0000000000..acb2c9cd0d --- /dev/null +++ b/wiretap/csids.c @@ -0,0 +1,254 @@ +/* csids.c + * + * $Id: csids.c,v 1.1 2000/08/08 22:16:41 mhall Exp $ + * + * Copyright (c) 2000 by Mike Hall + * Copyright (c) 2000 by Cisco Systems + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "wtap-int.h" +#include "buffer.h" +#include "csids.h" +#include "file_wrappers.h" + +#include +#include +#include + +/* + * This module reads the output from the Cisco Secure Intrustion Detection + * System iplogging facility. The term iplogging is misleading since this + * logger will only output TCP. There is no link layer information. + * Packet format is 4 byte timestamp (seconds since epoch), and a 4 byte size + * of data following for that packet. + * + * For a time there was an error in iplogging and the ip length, flags, and id + * were byteswapped. We will check for this and handle it before handing to ethereal. + * + */ + +static int csids_read(wtap *wth, int *err); +static int csids_seek_read(wtap *wth, int seek_off, + union wtap_pseudo_header *pseudo_header, guint8 *pd, int len); + +struct csids_header { + guint32 seconds; /* seconds since epoch */ + guint32 caplen; /* the capture length */ +}; + +/* XXX - return -1 on I/O error and actually do something with 'err'. */ +int csids_open(wtap *wth, int *err) +{ + /* There is no file header. There is only a header for each packet + * so we read a packet header and compare the caplen with iplen. They + * should always be equal except with the wierd byteswap version. + * + * THIS IS BROKEN-- anytime the caplen is 0x0101 or 0x0202 up to 0x0505 + * this will byteswap it. I need to fix this. XXX --mlh + */ + + int tmp,iplen,bytesRead; + + gboolean byteswap = FALSE; + struct csids_header hdr; + bytesRead=0; + + file_seek(wth->fh, 0, SEEK_SET); + + /* check the file to make sure it is a csids file. */ + bytesRead = file_read( &hdr, sizeof( struct csids_header) , 1, wth->fh ); + if( bytesRead != sizeof( struct csids_header) ) { + *err = file_error( wth->fh ); + if( *err != 0 ) { + return -1; + } else { + return 0; + } + } + hdr.seconds = pntohl( &hdr.seconds ); + hdr.caplen = pntohl( &hdr.caplen ); + bytesRead = file_read( &tmp, 2, 1, wth->fh ); + if( bytesRead != 2 ) { + *err = file_error( wth->fh ); + if( *err != 0 ) { + return -1; + } else { + return 0; + } + } + bytesRead = file_read( &iplen, 2, 1, wth->fh ); + if( bytesRead != 2 ) { + *err = file_error( wth->fh ); + if( *err != 0 ) { + return -1; + } else { + return 0; + } + } + iplen = pntohs(&iplen); + if( iplen != hdr.caplen ) { + /* maybe this is just a byteswapped version. the iplen ipflags */ + /* and ipid are swapped. We cannot use the normal swaps because */ + /* we don't know the host */ + iplen = BSWAP16(iplen); + if( iplen == hdr.caplen ) { + /* we know this format */ + byteswap = TRUE; + } else { + /* don't know this one */ + return 0; + } + } else { + byteswap = FALSE; + } + + wth->data_offset = 0; + wth->capture.csids = g_malloc(sizeof(csids_t)); + wth->capture.csids->byteswapped = byteswap; + wth->file_encap = WTAP_ENCAP_RAW_IP; + wth->file_type = WTAP_FILE_CSIDS; + wth->snapshot_length = 16384; /* just guessing */ + wth->subtype_read = csids_read; + wth->subtype_seek_read = csids_seek_read; + + /* no file header. So reset the fh to 0 so we can read the first packet */ + file_seek(wth->fh, 0, SEEK_SET); + + return 1; +} + +/* Find the next packet and parse it; called from wtap_loop(). */ +static int csids_read(wtap *wth, int *err) +{ + guint8 *buf; + int bytesRead = 0; + struct csids_header hdr; + int packet_offset = wth->data_offset; + + bytesRead = file_read( &hdr, sizeof( struct csids_header) , 1, wth->fh ); + if( bytesRead != sizeof( struct csids_header) ) { + *err = file_error( wth->fh ); + if( *err != 0 ) { + return -1; + } else { + return 0; + } + } + hdr.seconds = pntohl(&hdr.seconds); + hdr.caplen = pntohl(&hdr.caplen); + + wth->data_offset += sizeof( struct csids_header ); + + /* Make sure we have enough room for the packet */ + buffer_assure_space(wth->frame_buffer, hdr.caplen); + buf = buffer_start_ptr(wth->frame_buffer); + + bytesRead = file_read( buf, hdr.caplen, 1, wth->fh ); + if( bytesRead != hdr.caplen ) { + *err = file_error( wth->fh ); + if( *err != 0 ) { + return -1; + } + } + + wth->data_offset += hdr.caplen; + + wth->phdr.len = hdr.caplen; + wth->phdr.caplen = hdr.caplen; + wth->phdr.ts.tv_sec = hdr.seconds; + wth->phdr.ts.tv_usec = 0; + wth->phdr.pkt_encap = WTAP_ENCAP_RAW_IP; + + if( wth->capture.csids->byteswapped == TRUE ) { + guint16* swap = (guint16*)buf; + *(++swap) = BSWAP16(*swap); /* the ip len */ + *(++swap) = BSWAP16(*swap); /* ip id */ + *(++swap) = BSWAP16(*swap); /* ip flags and fragoff */ + } + + /* This is a hack to fix the fact that have to atleast return 1 + * or we stop processing. csids has no file header. We recover from + * this hack in csids_seek_read by checking the seek_off == 1 and + * setting it back to 0. + */ + return packet_offset ? packet_offset : 1; +} + +/* Used to read packets in random-access fashion */ +static int +csids_seek_read (wtap *wth, + int seek_off, + union wtap_pseudo_header *pseudo_header, + guint8 *pd, + int len) +{ + int err = 0; + int bytesRead = 0; + struct csids_header hdr; + + /* hack to fix a problem with the way error checking is done. If the + * the return value from csids_read is 0 for the first packet, then + * we stop there. So I return 1. But that messes up the offset for + * the seek_off on this call. So if seek_off is 1 then make it 0 and + * if it is not 1 leave it alone. --mlh + */ + int real_seek_off = seek_off; + if( real_seek_off == 1 ) { + real_seek_off = 0; + } + + file_seek(wth->random_fh, real_seek_off , SEEK_SET); + + bytesRead = file_read( &hdr, sizeof( struct csids_header) , 1, wth->random_fh ); + if( bytesRead != sizeof( struct csids_header) ) { + err = file_error( wth->fh ); + if( err != 0 ) { + return -1; + } else { + return 0; + } + } + hdr.seconds = pntohl(&hdr.seconds); + hdr.caplen = pntohl(&hdr.caplen); + + if( len != hdr.caplen ) { + return -1; + } + + bytesRead = file_read( pd, hdr.caplen, 1, wth->random_fh ); + if( bytesRead != hdr.caplen ) { + err = file_error( wth->fh ); + if( err != 0 ) { + return -1; + } + } + + if( wth->capture.csids->byteswapped == TRUE ) { + guint16* swap = (guint16*)pd; + *(++swap) = BSWAP16(*swap); /* the ip len */ + *(++swap) = BSWAP16(*swap); /* ip id */ + *(++swap) = BSWAP16(*swap); /* ip flags and fragoff */ + } + + return 0; +} + + + diff --git a/wiretap/csids.h b/wiretap/csids.h new file mode 100644 index 0000000000..1adcf2d058 --- /dev/null +++ b/wiretap/csids.h @@ -0,0 +1,24 @@ + /* csids.h + * + * $Id: csids.h,v 1.1 2000/08/08 22:16:42 mhall Exp $ + * + * Copyright (c) 2000 by Mike Hall + * Copyright (c) Cisco Systems + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + */ + +int csids_open(wtap *wth, int *err); diff --git a/wiretap/file.c b/wiretap/file.c index 44af7b6139..d37d48172a 100644 --- a/wiretap/file.c +++ b/wiretap/file.c @@ -1,6 +1,6 @@ /* file.c * - * $Id: file.c,v 1.58 2000/07/31 04:48:54 guy Exp $ + * $Id: file.c,v 1.59 2000/08/08 22:16:42 mhall Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez @@ -50,6 +50,7 @@ #include "netxray.h" #include "toshiba.h" #include "i4btrace.h" +#include "csids.h" /* The open_file_* routines should return: * @@ -94,6 +95,7 @@ static int (*open_routines[])(wtap *, int *) = { ascend_open, toshiba_open, i4btrace_open, + csids_open, }; #define N_FILE_TYPES (sizeof open_routines / sizeof open_routines[0]) @@ -322,6 +324,10 @@ const static struct file_type_info { { "I4B ISDN trace", NULL, NULL, NULL }, + /* WTAP_FILE_CSIDS */ + { "CSIDS IPLog", NULL, + NULL, NULL }, + }; /* Name that should be somewhat descriptive. */ diff --git a/wiretap/wtap-int.h b/wiretap/wtap-int.h index 1e75cc2a89..6eae87b903 100644 --- a/wiretap/wtap-int.h +++ b/wiretap/wtap-int.h @@ -1,6 +1,6 @@ /* wtap-int.h * - * $Id: wtap-int.h,v 1.3 2000/07/26 06:04:33 guy Exp $ + * $Id: wtap-int.h,v 1.4 2000/08/08 22:16:42 mhall Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez @@ -107,6 +107,9 @@ typedef struct { int seek_add; } ascend_t; +typedef struct { + gboolean byteswapped; +} csids_t; typedef int (*subtype_read_func)(struct wtap*, int*); typedef int (*subtype_seek_read_func)(struct wtap*, int, union wtap_pseudo_header*, @@ -132,6 +135,7 @@ struct wtap { netmon_t *netmon; netxray_t *netxray; ascend_t *ascend; + csids_t *csids; } capture; subtype_read_func subtype_read; diff --git a/wiretap/wtap.h b/wiretap/wtap.h index ad44f21f2a..f2268ea7da 100644 --- a/wiretap/wtap.h +++ b/wiretap/wtap.h @@ -1,6 +1,6 @@ /* wtap.h * - * $Id: wtap.h,v 1.75 2000/07/26 06:04:34 guy Exp $ + * $Id: wtap.h,v 1.76 2000/08/08 22:16:42 mhall Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez @@ -122,9 +122,10 @@ #define WTAP_FILE_NETTL 19 #define WTAP_FILE_TOSHIBA 20 #define WTAP_FILE_I4BTRACE 21 +#define WTAP_FILE_CSIDS 22 /* last WTAP_FILE_ value + 1 */ -#define WTAP_NUM_FILE_TYPES 22 +#define WTAP_NUM_FILE_TYPES 23 /* * Maximum packet size we'll support.